diff options
author | Robert Loehning <robert.loehning@qt.io> | 2020-11-05 13:52:39 +0100 |
---|---|---|
committer | Robert Loehning <robert.loehning@qt.io> | 2020-11-09 16:07:01 +0000 |
commit | ad9ca01853e90bdbe45f7ac2e8edd75cd0862801 (patch) | |
tree | da320f977daef448825951627c3c7806ef52fe29 /src/network | |
parent | 7b1bbdb10ca1d89c9d6603e1e4baf9435a2e6ce5 (diff) |
QAsn1Element: Read value in blocks to avoid oom at wrong length
Fixes oss-fuzz issue 22272.
Pick-to: 5.15
Change-Id: I8a49b9487f632469402c983e517e817e8e65bef7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'src/network')
-rw-r--r-- | src/network/ssl/qasn1element.cpp | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/src/network/ssl/qasn1element.cpp b/src/network/ssl/qasn1element.cpp index 65a0e08961..13fc095e12 100644 --- a/src/network/ssl/qasn1element.cpp +++ b/src/network/ssl/qasn1element.cpp @@ -120,12 +120,20 @@ bool QAsn1Element::read(QDataStream &stream) if (length > quint64(std::numeric_limits<int>::max())) return false; - // value + + // read value in blocks to avoid being fooled by incorrect length + const int BUFFERSIZE = 4 * 1024; QByteArray tmpValue; - tmpValue.resize(length); - int count = stream.readRawData(tmpValue.data(), tmpValue.size()); - if (count != int(length)) - return false; + int remainingLength = length; + while (remainingLength) { + char readBuffer[BUFFERSIZE]; + const int bytesToRead = qMin(remainingLength, BUFFERSIZE); + const int count = stream.readRawData(readBuffer, bytesToRead); + if (count != int(bytesToRead)) + return false; + tmpValue.append(readBuffer, bytesToRead); + remainingLength -= bytesToRead; + } mType = tmpType; mValue.swap(tmpValue); |